lids-1.1.1r2-2.4.18.patch

关于LINUX安全内核的源代码

+#ifdef CONFIG_LIDS
+	lids_security_alert("CAP_SYS_ADMIN violation: mount_is_safe");
+#endif
+ 	return -EPERM;
 #ifdef notyet
 	if (S_ISLNK(nd->dentry->d_inode->i_mode))
 		return -EPERM;
@@ -546,8 +554,12 @@
 	int err;
 	struct super_block * sb = nd->mnt->mnt_sb;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN)) {
+#ifdef CONFIG_LIDS
+	lids_security_alert("CAP_SYS_ADMIN violation: do_remount");
+#endif
 		return -EPERM;
+	}
 
 	if (!check_mnt(nd->mnt))
 		return -EINVAL;
@@ -833,8 +845,12 @@
 	char *name;
 	int error;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN)) {
+#ifdef CONFIG_LIDS
+	lids_security_alert("CAP_SYS_ADMIN violation: sys_pivot_root");
+#endif
 		return -EPERM;
+	}
 
 	lock_kernel();
 
diff -Nru linux-2.4.18-ori/fs/open.c linux-2.4.18-lids-1.1.1r2/fs/open.c
--- linux-2.4.18-ori/fs/open.c	Fri Oct 12 22:48:42 2001
+++ linux-2.4.18-lids-1.1.1r2/fs/open.c	Thu Apr 11 18:02:44 2002
@@ -20,6 +20,10 @@
 
 #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m))
 
+#ifdef CONFIG_LIDS
+#include <linux/lids.h>
+#endif
+
 int vfs_statfs(struct super_block *sb, struct statfs *buf)
 {
 	int retval = -ENODEV;
@@ -81,6 +85,17 @@
 	if (length < 0)
 		return -EINVAL;
 
+#ifdef CONFIG_LIDS
+        if (lids_load && lids_local_load) {
+                if (lids_check_base(dentry,LIDS_WRITE) < 0) {
+                        lids_security_alert("Attempt to truncate a protected file (dev %d %d,inode %ld)",
+                                            MAJOR(dentry->d_inode->i_dev),
+                                            MINOR(dentry->d_inode->i_dev),
+                                            dentry->d_inode->i_ino);
+                        return -EPERM;
+                }
+        }
+#endif
 	down(&inode->i_sem);
 	newattrs.ia_size = length;
 	newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
@@ -244,7 +259,15 @@
 	error = -EROFS;
 	if (IS_RDONLY(inode))
 		goto dput_and_out;
-
+#ifdef CONFIG_LIDS
+ 	if(lids_load && lids_local_load) {
+           	if (lids_check_base(nd.dentry,LIDS_WRITE)) {
+           		lids_security_alert("Attempt to change utime of %s",filename);
+			error = -EPERM;
+			goto dput_and_out;
+        	}
+ 	}
+#endif
 	/* Don't worry, the checks are done in inode_change_ok() */
 	newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
 	if (times) {
@@ -260,6 +283,7 @@
 		    (error = permission(inode,MAY_WRITE)) != 0)
 			goto dput_and_out;
 	}
+
 	error = notify_change(nd.dentry, &newattrs);
 dput_and_out:
 	path_release(&nd);
@@ -346,6 +370,14 @@
 		if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
 		   && !special_file(nd.dentry->d_inode->i_mode))
 			res = -EROFS;
+#ifdef CONFIG_LIDS
+                if(!res && (mode & S_IWOTH ) && lids_load && lids_local_load) {
+                        if (lids_check_base(nd.dentry,LIDS_WRITE)) {
+                                lids_security_alert("Attempt to access %s",filename);
+                                res=-EPERM;
+                        }
+                }
+#endif
 		path_release(&nd);
 	}
 
@@ -439,8 +471,12 @@
 		goto dput_and_out;
 
 	error = -EPERM;
-	if (!capable(CAP_SYS_CHROOT))
+	if (!capable(CAP_SYS_CHROOT)) {
+#ifdef CONFIG_LIDS
+		lids_security_alert("CAP_SYS_CHROOT violation: Attempt to chroot %s",filename);
+#endif
 		goto dput_and_out;
+	}
 
 	set_fs_root(current->fs, nd.mnt, nd.dentry);
 	set_fs_altroot();
@@ -469,6 +505,15 @@
 	err = -EROFS;
 	if (IS_RDONLY(inode))
 		goto out_putf;
+#ifdef CONFIG_LIDS
+        if( lids_load && lids_local_load) {
+                if (lids_check_base(dentry,LIDS_WRITE)) {
+                        lids_security_alert("Attempt to fchmod a file to mode %o",mode);
+                        err=-EPERM;
+                        goto out_putf;
+                }
+        }
+#endif
 	err = -EPERM;
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out_putf;
@@ -500,6 +545,16 @@
 	if (IS_RDONLY(inode))
 		goto dput_and_out;
 
+#ifdef CONFIG_LIDS
+        if( lids_load && (nd.dentry != NULL) && lids_local_load) {
+                if (lids_check_base(nd.dentry,LIDS_WRITE)) {
+                        lids_security_alert("Attempt to chmod %.1024s to mode %o",
+                                            filename,mode);
+                        error=-EPERM;
+                        goto dput_and_out;
+                }
+        }
+#endif
 	error = -EPERM;
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto dput_and_out;
@@ -530,6 +585,15 @@
 	error = -EROFS;
 	if (IS_RDONLY(inode))
 		goto out;
+#ifdef CONFIG_LIDS
+        if( lids_load && (dentry != NULL) && lids_local_load) {
+                if (lids_check_base(dentry,LIDS_WRITE) < 0) {
+                        lids_security_alert("Attempt to chown");
+                        error=-EPERM;
+                        goto out;
+                }
+        }
+#endif
 	error = -EPERM;
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out;
@@ -876,6 +940,9 @@
 		tty_vhangup(current->tty);
 		return 0;
 	}
+#ifdef CONFIG_LIDS
+	lids_security_alert("CAP_SYS_TTY_CONFIG violation: Attempt to hangup tty");
+#endif
 	return -EPERM;
 }
 
diff -Nru linux-2.4.18-ori/fs/proc/base.c linux-2.4.18-lids-1.1.1r2/fs/proc/base.c
--- linux-2.4.18-ori/fs/proc/base.c	Mon Feb 25 20:38:09 2002
+++ linux-2.4.18-lids-1.1.1r2/fs/proc/base.c	Tue Apr 30 14:54:23 2002
@@ -971,6 +971,11 @@
 	read_unlock(&tasklist_lock);
 	if (!task)
 		goto out;
+#ifdef CONFIG_LIDS
+	if (cap_raised(task->lids_cap,CAP_HIDDEN) && lids_load && lids_local_load) 
+		inode=NULL;
+	else
+#endif
 
 	inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
@@ -1018,6 +1023,10 @@
 		int pid = p->pid;
 		if (!pid)
 			continue;
+#ifdef CONFIG_LIDS
+		if ( cap_raised(p->lids_cap,CAP_HIDDEN) && lids_load && lids_local_load)
+			continue;
+#endif
 		if (--index >= 0)
 			continue;
 		pids[nr_pids] = pid;
diff -Nru linux-2.4.18-ori/fs/proc/root.c linux-2.4.18-lids-1.1.1r2/fs/proc/root.c
--- linux-2.4.18-ori/fs/proc/root.c	Sun Oct 21 04:14:42 2001
+++ linux-2.4.18-lids-1.1.1r2/fs/proc/root.c	Thu Apr 11 18:02:44 2002
@@ -17,6 +17,10 @@
 #include <linux/module.h>
 #include <asm/bitops.h>
 
+#ifdef CONFIG_LIDS_HIDE_PROC
+#include <linux/lids.h>
+#endif
+
 struct proc_dir_entry *proc_net, *proc_bus, *proc_root_fs, *proc_root_driver;
 
 #ifdef CONFIG_SYSCTL
diff -Nru linux-2.4.18-ori/fs/read_write.c linux-2.4.18-lids-1.1.1r2/fs/read_write.c
--- linux-2.4.18-ori/fs/read_write.c	Mon Feb 25 20:38:09 2002
+++ linux-2.4.18-lids-1.1.1r2/fs/read_write.c	Thu Apr 11 18:02:44 2002
@@ -14,6 +14,10 @@
 
 #include <asm/uaccess.h>
 
+#ifdef CONFIG_LIDS
+#include <linux/lidsext.h>
+#endif
+
 struct file_operations generic_ro_fops = {
 	llseek:		generic_file_llseek,
 	read:		generic_file_read,
@@ -153,6 +157,16 @@
 	file = fget(fd);
 	if (file) {
 		if (file->f_mode & FMODE_READ) {
+#ifdef CONFIG_LIDS
+			struct inode *inode;
+			inode = file->f_dentry->d_inode;
+			if (inode && S_ISBLK(inode->i_mode) && (!capable(CAP_SYS_RAWIO)))
+			if ( (lids_load) && lids_local_load) { 
+				lids_security_alert("CAP_SYS_RAWIO violation: Attempt to read to raw device %d:%d", MAJOR(inode->i_dev),MINOR(inode->i_dev));
+				fput(file);
+				return ret;
+			}
+#endif
 			ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,
 						file, file->f_pos, count);
 			if (!ret) {
@@ -184,8 +198,16 @@
 			if (!ret) {
 				ssize_t (*write)(struct file *, const char *, size_t, loff_t *);
 				ret = -EINVAL;
-				if (file->f_op && (write = file->f_op->write) != NULL)
+				if (file->f_op && (write = file->f_op->write) != NULL) {
+#ifdef CONFIG_LIDS
+					if (inode && S_ISBLK(inode->i_mode) && (!capable(CAP_SYS_RAWIO))) {
+						lids_security_alert("CAP_SYS_RAWIO violation: Attempt to write to raw device %d:%d", MAJOR(inode->i_dev),MINOR(inode->i_dev));
+					}
+					else 
+#endif
+						
 					ret = write(file, buf, count, &file->f_pos);
+				}
 			}
 		}
 		if (ret > 0)
diff -Nru linux-2.4.18-ori/fs/readdir.c linux-2.4.18-lids-1.1.1r2/fs/readdir.c
--- linux-2.4.18-ori/fs/readdir.c	Sun Aug 12 23:59:08 2001
+++ linux-2.4.18-lids-1.1.1r2/fs/readdir.c	Thu Apr 11 18:02:44 2002
@@ -13,10 +13,15 @@
 
 #include <asm/uaccess.h>
 
+#ifdef CONFIG_LIDS
+#include <linux/lids.h>
+#endif
+
 int vfs_readdir(struct file *file, filldir_t filler, void *buf)
 {
 	struct inode *inode = file->f_dentry->d_inode;
 	int res = -ENOTDIR;
+
 	if (!file->f_op || !file->f_op->readdir)
 		goto out;
 	down(&inode->i_sem);
@@ -120,6 +125,9 @@
 struct readdir_callback {
 	struct old_linux_dirent * dirent;
 	int count;
+#ifdef CONFIG_LIDS
+       struct dentry *r_dentry;
+#endif
 };
 
 static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -130,6 +138,18 @@
 
 	if (buf->count)
 		return -EINVAL;
+#ifdef CONFIG_LIDS
+        if(lids_load && lids_local_load) {
+                if(lids_check_hidden_inode(ino,buf->r_dentry->d_inode->i_dev) < 0 )
+               {
+                       struct dentry d=*(buf->r_dentry);
+                       struct inode i=*(buf->r_dentry->d_inode);
+                       i.i_ino=ino;
+                       d.d_inode=&i;
+                       if (lids_check_base(&d,LIDS_READONLY)) return 0;
+               }
+        }
+#endif
 	buf->count++;
 	dirent = buf->dirent;
 	put_user(ino, &dirent->d_ino);
@@ -153,7 +173,16 @@
 
 	buf.count = 0;
 	buf.dirent = dirent;
-
+#ifdef CONFIG_LIDS
+	/* FIXME, may be a member of dentry will be good*/
+	buf.r_dentry = 0;
+	if(file->f_dentry) {
+		if (file->f_dentry->d_inode)
+	 		buf.r_dentry = file->f_dentry;
+		else
+			printk(__FUNCTION__":bug!!\n");
+	}
+#endif
 	error = vfs_readdir(file, fillonedir, &buf);
 	if (error >= 0)
 		error = buf.count;
@@ -181,6 +210,9 @@
 	struct linux_dirent * previous;
 	int count;
 	int error;
+#ifdef CONFIG_LIDS
+	struct dentry *g_dentry;
+#endif
 };
 
 static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -194,6 +226,19 @@
 	if (reclen > buf->count)
 		return -EINVAL;
 	dirent = buf->previous;
+#ifdef CONFIG_LIDS
+	/* added by xhg at 2000-4-14 */
+	if(lids_load && lids_local_load) {
+                if(lids_check_hidden_inode(ino,buf->g_dentry->d_inode->i_dev) < 0 )
+                {
+                        struct dentry d=*(buf->g_dentry);
+                        struct inode i=*(buf->g_dentry->d_inode);
+                        i.i_ino=ino;
+                        d.d_inode=&i;
+                        if (lids_check_base(&d,LIDS_READONLY)) return 0;
+		}
+	}
+#endif
 	if (dirent)
 		put_user(offset, &dirent->d_off);
 	dirent = buf->current_dir;
@@ -224,7 +269,16 @@
 	buf.previous = NULL;
 	buf.count = count;
 	buf.error = 0;
-
+#ifdef CONFIG_LIDS
+/* FIXME, may be a member of dentry will be good*/
+	buf.g_dentry = 0;
+	if(file->f_dentry) {
+		if(file->f_dentry->d_inode)
+			buf.g_dentry = file->f_dentry;
+		else
+			printk(__FUNCTION__":BUG!!");
+	}
+#endif
 	error = vfs_readdir(file, filldir, &buf);
 	if (error < 0)
 		goto out_putf;
@@ -259,6 +313,9 @@
 	struct linux_dirent64 * previous;
 	int count;
 	int error;
+#ifdef CONFIG_LIDS
+	struct dentry *g_dentry
+#endif
 };
 
 static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
@@ -272,6 +329,19 @@
 	if (reclen > buf->count)
 		return -EINVAL;
 	dirent = buf->previous;
+#ifdef CONFIG_LIDS
+        /* added by xhg at 2000-4-14 */   
+        if(lids_load && lids_local_load) {
+                if(lids_check_hidden_inode(ino,buf->g_dentry->d_inode->i_dev) < 0 )
+               {
+                       struct dentry d=*(buf->g_dentry);
+                       struct inode i=*(buf->g_dentry->d_inode);
+                       i.i_ino=ino;
+                       d.d_inode=&i;
+                       if (lids_check_base(&d,LIDS_READONLY)) return 0;
+               }
+        }
+#endif
 	if (dirent) {
 		d.d_off = offset;
 		copy_to_user(&dirent->d_off, &d.d_off, sizeof(d.d_off));
@@ -307,7 +377,16 @@
 	buf.previous = NULL;
 	buf.count = count;
 	buf.error = 0;
-
+#ifdef CONFIG_LIDS
+/* FIXME, may be a member of dentry will be good*/
+        buf.g_dentry = 0;
+        if(file->f_dentry) {
+        	if(file->f_dentry->d_inode)
+                	buf.g_dentry = file->f_dentry;
+        	else    
+        		printk(__FUNCTION__":BUG!!");